Security questionnaires have long been the backbone of third party risk management (TPRM). But are they actually improving security, or just creating low value busy work for both the security teams who send them and the vendors who receive them? When organizations have hundreds, thousands, or even tens of thousands of vendors, the traditional approach of static assessments with hundreds of questions is proving inefficient and ineffective. It’s time to rethink how we evaluate and manage third party risk so that our security teams - both customer and vendor - can focus on security instead of check-the-box exercises.

In this session, Chuck Kesler, CISO at Pendo, will share his TPRM experiences both from the customer and vendor perspectives. While an advocate for questionnaires earlier in his career, he'll share how his views have shifted over time, including how his team has successfully implemented AI-based tools over the past two years to make their TPRM program more efficient. From the customer perspective, he’ll discuss how to tier vendors based on actual risk, leverage AI and other tools to assess and monitor vendors, and embed security requirements into contracts. From the vendor perspective, he’ll cover how organizations can proactively demonstrate security maturity, reduce assessment fatigue, and build trust through transparency. This is a vendor neutral session - although some TPRM vendor solutions may be mentioned in passing, Chuck will also cover how his team has built their own tools in some cases. 

Rough Draft of Session Agenda:

• Introduction (5 minutes)
  • A story about my TPRM journey from being a CISO for a large healthcare organization to the CISO for a hypergrowth tech unicorn
• Improving TPRM as a Customer (15 minutes)
  • The importance of understanding how a product will be used by your company
  • Requirements based on vendor risk tiering
  • AI bots to analyze vendors
  • Including security requrements in contracts
  • Third party security "credit score" monitoring - are they useful?
• Improving TPRM as a Vendor (15 minutes)
  
  • Trust centers to deflect questionnaires
  • AI bots to assist with questionnaires when needed
  • Training go-to-market teams on how to talk about security
  • Dealing with inaccurate security "credit scores"
• Blue Sky Ideas for the Future (5 minutes)
  • Integrations between contract management and GRC systems
  • Automated monitoring of vendors
  • (other ideas to be added later)
• How to Apply What You've Learned Today (5 minutes)